How organizations handled threat detection and visibility during the pandemic

29
Threat detection

Organizations were pandemic by the sudden shift to remote work environment due to pandemic, employees have shown to the leaders that productivity not only didn’t get impacted, in certain cases, it actually increased.

CIOs state that employees have adjusted well to the sudden shift and ensured that productivity has not been affected. Due to this forced experiment, organizations may opt to continue the remote workforce even after the pandemic has passed. As per a survey conducted by Gartner, organizations may opt to keep 41% of their workforce in the remote environment. This is a 30% rise as compared to the pre-pandemic situation. CFOs have started to reduce the spending on the real estate for the office space.

IT leaders state that at the current rate, remote work will continue for a long time, security personnel requires new ways to maintain visibility, threat detection, and monitoring. It’s required for safeguarding the rapidly disintegrating network perimeter. New blind spots have continued to crop up but the four key areas: email, endpoint, application, and cloud, need to be secured with Security Information and Event Management (SIEM) solution to boost monitoring and visibility capacity.

Email: Hackers are good at creating near-authentic and compelling phishing emails and have gotten even better during the lockdown. As per a survey conducted by Gartner, over 94% of the malware reaches organizations’ via emails. Security teams require a centralized view of the organization to understand the process after a phishing mail is opened.

Security Operations Center teams achieve the same by sending across a combination of network flows and required email events to a central SEIM tool for the analysis. IT leaders state a clear overview can be obtained by analyzing such email events with Cisco IronPort or Proofpoint. Network analytics are also used by security teams to get a better insight into such threats.

Application: IT leaders state that monitoring of application activity is crucial to ensure organizational safety. Doing so helps to expose cyber-attackers already present in the network. Monitoring can be implicated at a couple of levels like SAP, Salesforce, Okta, Cloud Identity Connect, CASB solution, Zscaler, Kubernetes, etc.

CIOs state that network monitoring helps to give details on how the application data travels across the network, connections to the system, and/or any abnormal traffic hitting the system.

Endpoint: IT leaders of organizations that previously didn’t have remote work policies, and those with remote work enabled, have said that the sudden shift to remote work and enablement of Virtual Private Network saw the creation of a massive blind spot for end-user and endpoint activity. Security teams have used a combination of VPN and EDR events, VPN OS to help with the detection of threat activities. Once data is collected, teams can use correlation-based analytics and machine learning analytics to pinpoint known and unknown threats to the system.

Cloud: IT leaders state that many physical data centers closed due to the lockdown, they were faced with a sudden requirement for reducing the on-site maintenance of IT systems. Many adopted migration to the cloud and digital transformation to ensure seamless productivity. Major cloud vendors like Google Cloud, Azure, AWS, and IBM provide event, log, and network flow data which can be integrated with SIEM solution to obtain detection and visibility for multi-cloud and on-premise environments.

By increasing the centralized security analytics, based on phishing, cloud security, application, and endpoint IT leaders can obtain deeper details to boost the security infrastructure of the organization.